Troubleshooting slow DNS lookup

Kalman Feher kalman.feher at
Fri Nov 26 08:38:46 UTC 2010

On 26/11/10 5:58 AM, "Mark Andrews" <marka at> wrote:

> In message <AANLkTimZMC4PGNe7N72hnB7gnjUaT9r2OKTiGAazv4RP at>,
> Rian
> to Wahyudi writes:
>> Hi Mark,
>> Thanks for the pointers , your are spot on!
>> Doing dig +trace +dnssec always fail.
>> After some investigation with the network guys, it appear that our upstream
>> firewall are dropping DNS UDP packet larger than 512.
>> Cisco FWSM have this configuration enabled by default :
>> l#wp1565355
> So the default is "inspect dns maximum-length 512" if I read that
> page correctly.  "inspect dns" or as a minimum "inspect dns
> maximum-length 4096" will allow reply traffic through for named.
> I thought I had heard that Cisco had code which looked for the EDNS
> UDP size option and adjusted the maximum length based on that on a
> per transaction basis and enforced 512 if there wasn't a EDNS option.
Yes, but I think its a recent addition to their code.

The Cisco ASA supports:

message-length maximum client auto

This will use the OPT value as the maximum. I know its supported on version
8.3 of ASA software. It might not be supported by the switch modules of the

> Mark

Kal Feher 

More information about the bind-users mailing list